The Computer Guys

Miami to Fort Lauderdale Since 1994 - Thank You!

We Build the Best & Repair the Rest! ©

Top 10 malware reported to Sophos in July 2006

Position

Last
month

Malware

Percentage of reports

W32/Netsky-P

19.3%

W32/Mytob-AS

13.9%

W32/Bagle-Zip

9.7%

W32/Nyxem-D

6.3%

W32/MyDoom-O

6.0%

W32/Zafi-B

4.2%

W32/Netsky-D

4.0%

W32/Mytob-C

3.6%

Re-entry

W32/Mytob-FO

1.7%

Re-entry

W32/MyDoom-AJ

1.7%

Others

29.6%

Downloader-AXM

Trojan Spoofs Firefox Extension, Steals IDs

An identity-stealing keylogger that disguises itself as a Firefox extension and installs silently in the background was discovered Tuesday by security vendor McAfee.

According to the Santa Clara, Calif.-based company, the "FormSpy" Trojan horse monitors mouse movements and key presses to steal online banking or credit card usernames and passwords, other login information, and URLs typed into Firefox, the popular open-source browser. Another component of the Trojan sniffs out passwords from ICQ and FTP sessions, and IMAP and POP3 traffic, said McAfee. All collected information is sent to an IP address hard-coded into the Trojan.

The scam starts with spam posing as a message from the billing support department of mega-retailer Wal-Mart, said Craig Schmugar, the virus research manager at McAfee's Avert Labs. "There's an order number in the message, which matches the number of the attachment," said Schmugar. "When someone opens the attachment, the Trojan downloads and installs two components, a keylogger as well as a sniffer." As of Tuesday afternoon, FormSpy had gained little traction.

But it's the way that FormSpy gets onto a machine that's unique, Schmugar said. FormSpy masquerades as a Firefox extension, or browser add-on. It spoofs Numberedlinks 0.9, an extension that in its legitimate form lets users navigate links with the keypad. FormSpy uses some of the actual extension's code to put its hooks into Firefox.

More

Sophos's anti-virus products include Genotype ™ detection technology, which can proactively protect against new threats without requiring an update. Sophos customers have been protected against W32/MyDoom-AJ (detected as W32/MyDoom-Gen) since version 3.92

W32/MyDoom-AJ is a mass-mailing worm with IRC backdoor functionality which can also infect computers vulnerable to the LSASS (MS04-011) exploit.

When first run the worm copies itself to the Windows system folder as mathchk.exe and creates the following registry entries so as to auto-start:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
RealPlayer Ath Check=
mathchk.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
RealPlayer Ath Check=
mathchk.exe

HKLM\Software\Microsoft\OLE
RealPlayer Ath Check=
mathchk.exe

HKLM\System\CurrentControlSet\Control\Lsa\
RealPlayer Ath Check=
mathchk.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
RealPlayer Ath Check=
mathchk.exe

HKCU\Software\Microsoft\OLE
RealPlayer Ath Check=
mathchk.exe

HKCU\System\CurrentControlSet\Control\Lsa
RealPlayer Ath Check=
mathchk.exe

The worm will attempt to harvest email addresses from files on the local hard disk.

Emails sent by W32/MyDoom-AJ have the following characteristics:

Subject line chosen from one of the following, possibly in all uppper case or all in lower case:

Good day
Hello
Server Report
Status
<blank>

Message text chosen from:

Mail transaction failed. Partial message is available.
The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
The message contains Unicode characters and has been sent as a binary attachment.
The original message was included as an attachment.
<junk>

Attached filename chosen from the following with an extension chosen from (bat cmd exe scr pif zip):

body
data
doc
document
file
message
readme
text

This web is optimized for 800 x 600 monitor resolution or above and the latest web browser. Get the latest IE or Netscape web browser. (you need to connect to the internet first)